Amazon S3 功能介绍

本文详细介绍了Amazon S3的功能,包括存储过程、管理、S3功能、访问控制机制等。S3支持创建和管理桶,提供多种访问控制策略如IAM策略、ACL和桶策略。数据元具有生命周期管理、版本控制和数据加密等功能,还可用于存储静态网站并支持BitTorrent协议。文章还讨论了数据保护措施和如何发起请求。
摘要由CSDN通过智能技术生成

1 存储过程

       创建用于存储数据元的桶,可以选择数据元所驻留的地区(目前来说,选择东京、新加坡会快些,美国本土更便宜),上传数据元到桶,进行持久化存储。另外,可以对上传的数据元及桶进行访问控制、加密等设置。每个AWS账户可以创建多个用户,用户可以对所拥有的数据进行上述权限控制。

       目前可存储的你内容有:

(1)多媒体、音乐、图片

(2)视频监控文件

(3)医疗系统的档案、资料

(4)静态网站资料

2 管理

       通过AWS管理控制台对数据进行控制。AWS控制台类似于EC2的web控制界面,或者通过API接口(Java、.Net)、REST接口编程实现。

3 S3功能简述

(1)创建桶、删除桶

(2)写入、读取、删除数据元,每个数据元的大小从1byte到5Tbyte

(3)根据用户密钥,查询桶信息及数据元信息

(4)选择数据所存储的地区,东京 or 新加坡 or 其他

(5)数据元的权限设置,可以向指定的用户开放,加密等

(6)使用基于REST和SOAP接口,提供JAVA,net的SDK

(7)便于添加其他功能,默认的下载协议是HTTP

(8)提供AWS管理平台,对数据进行管理

(9)在进行存储或者检索数据时,对数据进行校验和计算,验证是否损坏

(10)去冗余存储,用户可以自定义一些文件,比如缩略图、转码媒体等,使得这些文件的存储冗余副本数目低于标准的冗余副本数目

(11)数据源的访问日志记录,可用于审核等

(12)对数据元提供版本控制功能,用户可以恢复到之前的版本

4 访问控制机制

       S3的访问控制机制,主要有四种。

(1) Identity and Access Management (IAM) 策略:

IAM让拥有多名员工的组织能够在一个AWS账户下创建和管理多个用户,通过IAM策略,可以授予指定的用户对桶和数据元的细化控制。

(2)访问控制列表(ACL):

选择性的授予对个别数据元或者桶的特定权限。

(3)桶策略:

桶策略可以添加或者拒绝对单一桶内的部分或者所有数据元的权限。

(4)查询字符串身份验证:

根据此项的验证,能够通过仅在限定时间段内有效的URL共享数据元。

4.1 使用IAM策略

       IAM策略就是AWS Identity and Access Management。使用此策略可以利用AWS账户创建多个用户,给这些用户分配证书、管理其权限。主要是针对用户的。类似的还有ACL和桶策略。下面是三者的对比表:

 

       通过ACL,可以赋予其他的AWS账户相关权限来访问本账户所拥有的资源,通过IAM,只能赋予本AWS账户下创建的用户相关的访问权限。控制级别不一样。三者之间可以相互搭配,来组合安全策略。三者之间,在某些条件下也是等价的,比如:

 

在策略中,需要对objec 进行相关的action操作,就像上图中的PutObject一样,action列表如下。

Actions Related to Objects

  • s3:GetObject (covers REST GET Object, REST HEAD Object, REST GET Object torrent, SOAP GetObject, and SOAP GetObjectExtended)
  • s3:GetObjectVersion (covers REST GET Object, REST HEAD Object, REST GET Object torrent, SOAP GetObject, and SOAP GetObjectExtended)
  • s3:PutObject (covers the REST PUT Object, REST POST Object, REST Initiate Multipart Upload, REST Upload Part, REST Complete Multipart Upload, SOAP PutObject, and SOAP PutObjectInline)
  • s3:GetObjectAcl
  • s3:GetObjectVersionAcl
  • s3:PutObjectAcl
  • s3:PutObjectVersionAcl
  • s3:DeleteObject
  • s3:DeleteObjectVersion
  • s3:ListMultipartUploadParts
  • s3:AbortMultipartUpload
  • s3:GetObjectTorrent
  • s3:GetObjectVersionTorrent
  • s3:RestoreObject

Actions Related to Buckets

  • s3:CreateBucket
  • s3:DeleteBucket
  • s3:ListBucket
  • s3:ListBucketVersions
  • s3:ListAllMyBuckets (covers REST GET Service and SOAP ListAllMyBuckets)
  • s3:ListBucketMultipartUploads

Actions Related to Bucket Sub-Resources

  • s3:GetBucketAcl
  • s3:PutBucketAcl
  • s3:GetBucketCORS
  • s3:PutBucketCORS
  • s3:GetBucketVersioning
  • s3:PutBucketVersioning
  • s3:GetBucketRequestPayment
  • s3:PutBucketRequestPayment
  • s3:GetBucketLocation
  • s3:GetBucketPolicy
  • s3:DeleteBucketPolicy
  • s3:PutBucketPolicy
  • s3:GetBucketNotification
  • s3:PutBucketNotification
  • s3:GetBucketLogging
  • s3:PutBucketLogging
  • s3:GetBucketWebsite
  • s3:PutBucketWebsite
  • s3:DeleteBucketWebsite
  • s3:GetLifecycleConfiguration
  • s3:PutLifecycleConfiguration

同时,还有策略的Key值,可以根据策略的key来更加严格的控制资源。key值列表如下:

 

Action Applicable Keys Description

s3:PutObject

s3:x-amz-acl

The Amazon S3 canned ACL that is applied to the object. A canned ACL represents a predefined permission that can be applied to the object being PUT to Amazon S3.

Valid values: private | public-read | public-read-write | authenticated-read | bucket-owner-read |bucket-owner-full-control | log-delivery-write.

Example value: public-read

s3:x-amz-copy-source

The header that specifies the name of the source bucket and key name of the source object, separated by a slash (/). Used when copying an object.

Example value: /bucketname/keyname

s3:x-amz-grant-read, s3:x-amz-grant-write,​ s3:x-amz-grant-read-acp,​ s3:x-amz-grant-write​-acp,​ ​s3:x-amz-grant-full​-control

These conditions relate to the ACL-specific request headers the action supports. You can add a condition in your bucket policy to deny or grant the action based on the presence of these headers headers with specific values. For more information about the API and the request headers, go to PUT Object.

For an example policy that uses these condition keys, see Granting Cross-Account Permissions to Upload Objects While Ensuring the Bucket Owner Has Full Control .

s3:x-amz-server-side-encryption

Allow the specific action only if x-amz-server-side-encryption header is present in the request and its value matches the specified condition. with

Valid values: AES256

Example value: AES256

s3:x-amz-metadata-directive

The header that specifies whether the metadata is copied from the source object or replaced with metadata provided in the request. If copied, the metadata, except for the version ID, remains unchanged. Otherwise, all original metadata is replaced by the metadata you specify. Used when copying an object.

Valid values: COPY | REPLACE. The default is COPY.

Example value: REPLACE

s3:PutObjectAcl

s3:x-amz-acl

The Amazon S3 canned ACL that is applied to the object. A canned ACL represents a predefined permission that can be applied to the object being PUT to Amazon S3.

Valid values: private | public-read | public-read-write | authenticated-read | bucket-owner-read |bucket-owner-full-control | log-delivery-write.

Example value: public-read

s3:x-amz-grant-read, s3:x-amz-grant-write,​ s3:x-amz-grant-read-acp,​ s3:x-amz-grant-write​-acp,​ ​s3:x-amz-grant-full​-control

These conditions relate to the ACL-specific request headers the action supports. You can add a condition in your bucket policy to deny or grant the action based on the presence of these headers headers with specific values. For more information about the API and the request headers, go to PUT Object acl.

For an example policy that uses these condition keys, see Granting Cross-Account Permissions to Upload Objects While Ensuring the Bucket Owner Has Full Control .

s3:GetObjectVersion

s3:VersionId

The version ID of the object being retrieved.

Example value: Upfdndhfd8438MNFDN93jdnJFkdmqnh893

s3:GetObjectVersionAcl

s3:VersionId

The version ID of the object ACL being retrieved.

Example value: Upfdndhfd8438MNFDN93jdnJFkdmqnh893

s3:PutObjectVersionAcl

s3:VersionId

The version ID of the object ACL being PUT.

Example value: Upfdndhfd8438MNFDN93jdnJFkdmqnh893

s3:x-amz-acl

The Amazon S3 canned ACL that is applied to the object. A canned ACL represents a predefined permission that can be applied to the object being PUT to Amazon S3.

Valid values: private | public-read | public-read-write | authenticated-read | bucket-owner-read |bucket-owner-full-control | log-delivery-write.

Example value: public-read

s3:x-amz-grant-read, s3:x-amz-grant-write,​ s3:x-amz-grant-read-acp,​ s3:x-amz-grant-write​-acp,​ ​s3:x-amz-grant-full​-control

These conditions relate to the ACL-specific request headers the action supports. You can add a condition in your bucket policy to deny or grant the action based on the presence of these headers headers with specific values. For more information about the API and the request headers, go to PUT Object acl.

For an example policy that uses these condition keys, see Granting Cross-Account Permissions to Upload Objects While Ensuring the Bucket Owner Has Full Control .

s3:DeleteObjectVersion

s3:VersionId

The version ID of the object being deleted.

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值